In future, I hope that security patches and major "feature upgrades" are kept SEPARATE.

3.8.4 broke user login with our HTTPS site (an elusive 'fatally poisoned cookie' error that you could only catch by logging out and then logging in again). Also discovered that Joomla's "Force HTTPS" setting would literally kill the site DEAD with that new router. OUCH!!!

Yesterday I noticed the same choice of words used by another user who joined the forum—someone who chose an offensive forum username—who used the exact same words and then proceeded to complain and blame everyone about their own personal problems. I'm sure the moderator team is aware of who this person was. That person's account was banned for being abusive.

I searched for the phrase 'fatally poisoned cookie' on Google and I find no reference to this in connection with Joomla. As I mentioned, I find it curious to see the same phrase turn up here in this discussion.

https://www.kuneze.com/blogFormer member of Kunena project teamIf you think I’m wrong then say “I think you're wrong.” If you say “You’re wrong!”, how do you know?

Hi , the problem in kunena login form is ok now, but I think that the problem with the increasing number of visitors and the logged in users still remains in 3.8.5.

I updated to Joomla! 3.8.5, all seemed to be ok and the thousands of users disappeared (from the previous 3.8.4) and now for a lot of hours I'm watching it, the numbers still rising slowly - slowly, but only rising, and also the logged in users remains again logged in permanently.

Have you got the same problem or is just me? I tried even with a clean fresh browser that hadn't enter my site from there (to avoid some cookie problem) and still the same problem. I even disabled jotcache completely, cleared cache, clear cookies/history in browser, nothing, it writes only rising number of visitors and the same users that they had logged in from yesterday (and rising also with the new users that they log in).

I get a white screen (in the admin) on a dozen sites when i hit the 3.8.5 upgrade on the upgrade page. Some sites it works fine, some it doesnt...i have a one page site it doesnt work on... Turned on the error reporting and get this

Warning: get_headers(): https:// wrapper is disabled in the server configuration by allow_url_fopen=0 in /home/XXXX/public_html/administrator/components/com_joomlaupdate/models/default.php on line 255

Warning: get_headers(): This function may only be used against URLs in /home/XXXX/public_html/administrator/components/com_joomlaupdate/models/default.php on line 255

Yesterday I noticed the same choice of words used by another user who joined the forum—someone who chose an offensive forum username—who used the exact same words and then proceeded to complain and blame everyone about their own personal problems. I'm sure the moderator team is aware of who this person was. That person's account was banned for being abusive.

I searched for the phrase 'fatally poisoned cookie' on Google and I find no reference to this in connection with Joomla. As I mentioned, I find it curious to see the same phrase turn up here in this discussion.

I don't know if there is such a technical term in common use, but it's the most descriptive moniker I could come up with!

I didn't have time to examine the mechanism, but it seemed apt to describe a problem where after updating Joomla the only fix was for every user to dig into the bowels of their browsers and to delete all of our site cookies. But probably I had it backwards - rather than 3.8.4 'poisoning the cookies' , perhaps 3.8.4 was "allergic to the old cookies"?

In any event, I hope 'whatever the heck was going on' is now receiving the full attention of the development team - especially in connection with HTTPS sites. It virtually seems that 3.8.4 was never TESTED with an HTTPS site - is that possible? (I just don't see how they possibly could have missed it, had they been testing with HTTPS...)

mikerotec wrote: It virtually seems that 3.8.4 was never TESTED with an HTTPS site - is that possible?

I'd say that is not possible. I had no issues with HTTPS sites in 3.8.4 or the upgrade to 3.8.5.

Nor me. The issues I had were solely down to the router problem.

I have had issues with cookies from time to time after an update which has required clearance from my browser, both before and after application of my SSL Certificate. I don't believe https:// to be related to this, though. Never been able to point-point the exact cause.

I had no cookie issues when updating v3.8.3 --> v3.8.4 and then v3.8.4 --> v3.8.5

Thank you everyone for confirming—in the overwhelming majority of cases—the success of J! 3.8.5.

I note that some people are still preoccupied with the Who's Online count of visitors/guests; I've never lost any sleep over this. I would give anything to have my sites reporting 20K visitors instead of the 200 or so that I see (when I actually look, that is!) . I've never had any confidence in Joomla's ability to report these numbers—going back all the way to J! 1.5—but if people want to stress out about it then that's their problem. There are more important reasons to update to J! 3.8.5 as far as I'm concerned.

I also cannot confirm any difficulties or differences with HTTPS vs HTTP websites; I run a mix of both.

I can confirm that the fix for editing PHP files with Codemirror works. I also note that the problems involving logging in (that affect all versions of Kunena that are compatible with J! 3.x) are also resolved.

Very happy with the outcome.

https://www.kuneze.com/blogFormer member of Kunena project teamIf you think I’m wrong then say “I think you're wrong.” If you say “You’re wrong!”, how do you know?

Can't speak for this "cookie poisoning" thing, but pretty much the entirety of joomla.org runs HTTPS, so if there were indeed a cookie related issue separate from the routing issues, it would have been spotted pretty quickly after release, even if not one person in the elongated release cycle between 3.8.3 and 3.8.4 had performed an install or update on a HTTPS enabled site.

Edit after initial post: As for this high visitor count thing, part of that is there was a bug in 3.8.4 fixed in 3.8.5, part of that is the arbitrary "DELETE FROM session" query that was running on almost every page load has been changed to have a much shorter chance of running and will not run at all when using the database session handler. Do a quick read on https://github.com/joomla/joomla-cms/issues/19585 to get a better understanding of what's changed under the hood and what other under the hood changes are coming so that we can give power users the tools needed to better manage this.

Fan33GR wrote:So what about the wrong high numbers of visitors and the always logged in users?

This question has been asked (and answered) in several other places around the forum. I refer you to the post made by @mbabker above (relating to the use of the database for managing sessions). If you do not use the _sessions [database] table to manage sessions then you'll probably not find the answer(s) your looking for.

Fan33GR wrote:And one more question : Can I install 3.8.3 (which all worked perfect) over the 3.8.5 that I have already updated or my site will crash???

Short answer is ... I really can't say. If you want to revert to the situation where you had your website working "perfectly" then I suggest you restore the site from a backup. Restoring a site from a backup is the only recommended way to revert back to an earlier situation where things "worked".

Going backwards is not a very effective way of going forwards unless there's something fundamentally broken.

The real question here is "What is it about updating to J! 3.8.5 that has required you to 'go back'?" If we answer that question—if we find a solution to those problems—we can all move on ... otherwise you (and others who read this topic) will remain stuck, isolated and unable to move beyond J! 3.8.3 (and all the problems that that will create in future).

https://www.kuneze.com/blogFormer member of Kunena project teamIf you think I’m wrong then say “I think you're wrong.” If you say “You’re wrong!”, how do you know?

JAVesey wrote:
Have you tried to see if your visitor count really isn't genuine? What site-logging system are you using?

I use the default Joomla built in login and the builtin whosonline, and was working OK until I updated to 3.8.4 (and again to 3.8.5), I'm sure the numbers are completely wrong , it's about 7.000 visitors (and the average was 100) and logged in users are 80 (and the average was 10), and of course I haven't changed anything or installed anything new.
The same huge numbers and the faulty permanently logged in users are also shown in kunena forum.

I understand that it is not too serious compared to security or usability of the site, but it's annoying because all of a sudden you see these huge numbers of visitors and logged in users and wondering why happens because all previous versions was working.

I really don't understand the preoccupation with the "high number of visitors" issue with Joomla. Ever since J! 3.8.4 was released (and J! 3.8.5 came soon after) people have become consumed—to the point of fanaticism (one person has written that they're abandoning Joomla because of this failing) or obsession. Why this obsession?

Ask any Joomla professional what value they see in the Who's Online module number and you'll probably get the same response: people don't—as a general rule—use it or, if do they use it, they don't rely on the accuracy the measurement. I'm not unsympathetic to people's complaints about the Who's Online information but, if people are using this information as a surrogate form of site analytics then they're mistaken as to its purpose.

People ask "Why am I seeing so many visitors when I'm the only person who uses my website?" Hmmm ... who knows. The Who's Online module reports "visits" from search engines, from 'bots as well as from human visitors. A detailed analysis of the server log files will establish where these visits originate.

People say that, after updating to J! 3.8.5, the visitor count has not gone down. Well, have you really understood what @mbabker was saying on this subject? The numbers may go down by themselves or they may not; it depends on how the sessions are being managed. Regardless of the proven accuracy of the numbers, there's a better chance that the Who's Online module will report a more reasonable value if people use the database to manage sessions as opposed to using a file. That's really all I can say.

As far as Kunena is concerned, the numbers are obtained from Joomla but, for the same reasons that I have written on many occasions, the information is as "accurate" (or, better said to be inaccurate) as it has always been for the past 10 years.

The problem comes back to (a) the session lifetime, (b) how sessions are managed, and (c), in the case of Kunena, whether the Kunena session lifetime is different to the Joomla session lifetime.

https://www.kuneze.com/blogFormer member of Kunena project teamIf you think I’m wrong then say “I think you're wrong.” If you say “You’re wrong!”, how do you know?

The previous versions worked because there was an arbitrary DELETE FROM query being run on most requests to Joomla, creating a performance issue for large scale sites. That performance issue was addressed, creating two side effects:

1) That arbitrary query is NEVER run now when the database session handler is in use, instead PHP's native session garbage collection configuration is relied on for this (which, depending on the server config, might be set to never run)
2) For the other session handlers, the frequency of said query was reduced from running on every even numbered second (so 30/60 seconds in a minute) to running on a divisor of 5 (so 12/60 seconds in a minute). So it'll still run, but not as aggressively.

If you really need this module to display accurate numbers, do not use the database session handler, switch to the native filesystem handler (IIRC it's named "PHP" in the global config). Otherwise, you need to be ready to fine tune your system's PHP configuration or write a cron job to trigger a cleanup operation.

Sounds like we have to wait for v.3.8.6 untill all updates becoming stable and clean from some strange errors. Personaly for me it's big surprise, why betta(or alpha) version Joomla becoming to official relise and can screwed-up many web sites.
PS. So far ver. 3.8.3 works nice.